AWeber Database Hacked, Email Addresses Stolen. Again.

Have you ever heard of Aweber?
No? Chances are that you received email from them without knowing it.

You see, from large corporations to small bloggers, lots of guys like to maintain a mailing list. Subscribers typically sign up through a “double opt-in” (where you have to click a confirmation link in the first email to make sure you really want it) and then receive special offers, newsletters etc. Normally, that’s all legit, no spam involved at all.

But maintaining such a mailing list is not trivial. Not only do you have to set up the double opt-in process, but also a reliable way for people to unsubscribe or change their email address, delete emails that bounce repeatedly and deal with CAN-SPAM compliance. You need servers that can reliably deliver thousands of emails without getting blocked and maybe even a tracking systems to find out who read your messages and who clicked on the links in them.

It can be a lot of hassle and that’s where AWeber comes in. AWeber is a so-called Email Service Provider, or ESP – a company that manages mailing lists for others. According to their website, “over 80,000 businesses trust us to deliver their email marketing campaigns.” See now how likely it is that newsletter from your car dealer actually came from AWeber?

You read the headline, so you already know what’s coming next. AWeber lost its database to hackers. And not just any database, the most valuable, the most sought-after, the holy grail of its databases – the subscriber list. To give you an idea of the magnitude of this breach, lets assume that each of the 80,000 AWeber customers has on average 500 subscribers on their list, which seems reasonable as that is the lowest of their 6 service levels, the highest one covering over 25,000 subscribers. That would mean 40 million confirmed real email addresses are now in the wild!

Yes, your email address that you entrusted to a few of your favorite sites is now, along with millions of others, in the hands of spammers if even one of those sites happened to use AWeber. And they know what your interests are from the type of mailing lists you were subscribed to! If you haven’t already, you can expect all sorts of sleazy come-ons to fill your inbox soon.

What’s the most outrageous about it though, is that this is already the second time in less than a year that AWeber screwed up. When in Dec 2009, the same thing happened once already, AWeber promised:

We have taken extra steps beyond fixing the problem to ensure that such a breach cannot occur again.

Yet, here we are, 10 months later having a déjà vu. Let’s be clear just how hollow AWeber’s reassurance was: “On Saturday, October 16th, an unknown person gained unauthorized access … We became aware of the incident on Monday”. What they are saying is that the hackers had the whole weekend to copy data as they pleased, undisturbed as no AWeber tech would be monitoring things until Monday.

Let me get this straight, you’re hosting sensitive data for tens of thousands of businesses and millions of end users, your systems have been broken into before and you admit “On a daily basis, a few thousand attempts are made to attack AWeber.” Yet, you have no 24-hour watch, no one on call, no functioning intrusion detection system in place and on Friday night, you just go home to enjoy the weekend?

It doesn’t end there, I find AWeber’s handling of the aftermath appalling:

The first time around, they tried to cover up the whole affair and only admitted to it after being called out by some of their customers who had to discover back then already “it seems that their support don’t work weekends”.

After the first breach, they didn’t even apologize and added the lame “We’re Sorry” only later after pressure from the blogosphere. The new incident now comes with a We’re Sorry right away, but then as now, they only apologize to their direct customers, not a word to the ones who now have to deal with a deluge of spam in their email – the list subscribers. AWeber leaves it up to their customers to deal with that PR nightmare. See Darren Rowse at the last link:

I’ve got over 333,000 subscribers who have potentially been receiving spam in the last few days. This makes me feel ill and embarrassed. I’ve fielded many many emails in the last few days from angry and confused readers. While not all will realize why they’re being spammed now some … have a damaged view of my brand (and some have unsubscribed).

Interestingly, the blog posts admitting the two breaches have comments turned off. Seems like AWeber prefers not to face the reality of some very disappointed customers and angry subscribers.

Boldly listing all the things that did not get accessed to downplay the severity of what did is disingenuous. Especially when you’re scraping the bottom of the barrel to come up with more stuff. You know what? The hackers/spammers probably didn’t care about affiliates’ tax ID in the first place. Even a customer credit card can be canceled, but you can’t cancel the damage to that customer’s business reputation. Neither can you ever get all the private email addressees back that are now going to be freely traded among criminals.

You don’t hear much about this whole mess because AWeber has an affiliate program and many pro bloggers in the marketing space, who would normally write about such things, make a good chunk of dough pushing this service. Of course they don’t want to bite the hand that feeds them. But if you run a mailing list, look into some alternatives to AWeber, your business reputation will thank you. Here are five that I heard good things about:

If you’re geek enough to try and manage the list completely on your own, there is a good free open-source solution: phpList.

And if you are a subscriber and use the anti-spam system explained on my homepage, you can simply turn off the affected email addresses and move on. If you don’t use such a system, I’m really sorry for you. Maybe it’s about time to start, it’s not that hard.

PS: I contacted AWeber to comment for this story but have not received a reply.

Thanks for explaining this! I was wondering why i suddenly began getting spammed… what to do now?? This is really damn fubar’d, esp when it’s the second time.
Is there a way for me to know what service a site uses?

I’m an aweber user – and at least some of my subscribers got hit by this. And I certainly did myself.

I noticed a big uptick in spam earlier in the week. I used to use the sort of unique email address system you recommend (not so easy nowadays as few hosts allow you to use catch-all emails – it opens them up to spamming to unknown email addresses) and I got lots to many of these unique addresses so I realised it couldn’t be as simple as my email address being scraped from the web.

Then one of my subscribers complained. Again because they’d used a unique email address to join my newsletter list.

I googled around and found out about the aweber hack.

What’s really annoying is that aweber didn’t see fit to email its users to warn them of this. Ironic for an email marketing company. They chose to sneak out a blog post wiht no publicity.

So I’m now switching all my lists over to another service – and removing my recommendations of aweber.

Let’s not forget that it’s the hackers that are the real culprits. They first time shoulda been a wakeup call tho. And yeah, how aweber handled it was horrible, just sitting tight and hoping it will all just go away…

When Aweber got hacked for the first time in December, i suffered a major blow to my business. My list got diluted with spam activity and my subscribers where very upset and complained to me. Like it was my fault..
I made a decision to switch email marketing providers back then, and moved my entire list to GetResponse. I cannot believe that this just happened again to Aweber. Surely you would think that they have learned their lesson by now. Clearly, their security sucks. I feel sorry for their customers, and trust me — i know the feeling.

I subscribe to a computer newsletter thru aweber and my address has also been hacked twice. The publisher has now dumped these dopes and will be using a new company for his publication. He’s a good guy and doesn’t deserve this crap. For me it’s no problem because I use disposable email addresses for everything. The address that I have been using for the newsletter (same as above) will soon disappear into the cosmos and be changed to something else unique.
I would highly recommend doing what is recommended above in the link to the “anti-spam system” or setting up an account with a disposable email address provider such as Sharpmail. Then you always know the source of the spam you get and you have the power to wipe out the old address and make up a new one while never revealing your true address to anyone. Basic Sharpmail is free, but I prefer to pay about $33 a year for their full services, including top notch tech support and I want to keep them profitable and in business. I also think Sharpmail may be a little more simple/user friendly than buying your own domain, but the power you gain over your own email is pretty comparable.

The last time my address was hacked thru aweber, I was told the person to complain to was named Sean Cohen, director of operations. sean@aweber.com was the address that I had but don’t know if it is still good.

Only found out about these hacks now when I had to change setting of my spamfilters. Had to allow some people using freemailers in and ….poof, I got lots of spam. Some I could trace back to an email subscription I did in late 2010 and that company investigated further and found out that their emailprovider (aweber) was hacked and had not notified them of this. Hope they take the right consequences.

I’ve heard of more issues with Aweber after this, but I don’t have the same level of evidence to back it up. But many of the email addresses I use via my Bustspammers system started receiving spam and the mailing lists I subscribed to using those addresses are almost all managed by AWeber.